Cyber Security Risk Analysis for a Virtual Assistant G2C Digital Service Using FAIR Model

Abstract

During development and deployment of Government-to-Citizen (G2C) e-services, stakeholders must take cybersecurity risks into account. Recently, Estonia proposed a novel e-service delivery through the use of virtual assistants. Cybersecurity is important to any organization due to the prevalence of attacks in recent times. Organizations in both the public sector and private sector typically have a program that determines, calculates and treats risks. These programs are identified as “risk management,” and cybersecurity risk assessment and analysis are a key part of these organizations. When correctly implemented, these programs can help decision makers allocate their cyber defense budgets in a more effective manner.The researchers conducted interviews with seven cybersecurity experts discussing cybersecurity data, metrics and risk assessment and analysis methods. These interviews informed the use of the Open Group’s Factor Analysis of Information Risk (FAIR) model in this paper.Because Estonia is one of the first countries in the world to prioritize e-service development in this domain, there is a literature gap pertaining to cybersecurity risk analyses of virtual assistant enabled e-services. Although a multiplicity of methods exist for risk assessment and analysis, this research follows the FAIR method to assess a G2C e-service which uses a third party provider for an Amazon Alexa skill that has become corrupted due to malware infection. The FAIR method projects the risk for a particular vulnerability in terms of dollar amount loss over time. It states the annualized loss exposure in terms of a minimum loss, a maximum loss, and a most likely amount of loss.Aggregated global public sector cyber breach frequency data was taken from the Privacy Rights Clearinghouse database and loss magnitude data was taken from the Cyentia IRIS 2020 report which utilized the Advisen cyber loss database. Based upon a Project Evaluation and Review Technique (PERT) distribution Monte Carlo simulation of this data, the annualized loss exposure projection for the public sector entity was $0 minimum likely value, most likely value $70,500 and maximum likely value of $6,000,000. Future work proposes more country and organization specific data for FAIR methodology use for G2C virtual assistant e-services analysis. The value of the work is that it shows how public sector agencies could use the FAIR model to make their cybersecurity risk models more quantitative than is generally currently practiced even in cases of new types of developments and services in order to aid decision-makers in allocation of funding to better defend against the most impactful risks.